Help! I have to choose a SIEM-solution

Help! I have to choose a SIEM-solution

When you need to make a choice for a Security Information & Event Management (SIEM) solution, it is not simple to choose the right solution. The selection of a SIEM solution is really quite difficult. The selection pathways are long and complex. There is not one SIEM tool that meets all the requirements!

Why do you even need a SIEM tool?

There can be several reasons you need a SIEM solution. For instance, the compliancy requirements or laws and regulations of the country where you are operating, play an important role, but it can also be enforced by the policy of the organisation. Of course, this does not need to be the reason to purchase a SIEM tool. It may also be that your organisation is aware of the possibilities this solution can give to get control over your IT assets.

Log management solution

Do you only want a central solution for your log information? Consider then a log management solution, instead of a full-fledged SIEM solution. A log management solution offers a couple of benefits, e.g. the relatively low purchase and arrangement costs. A SIEM solution is expensive, both in the purchase as in licenses and maintenance. Let alone the necessary knowledge and manpower that are needed to configure and maintain this tool. Log management solutions can be a lot cheaper. If open source solutions appeal to you more, you should consider solutions like Elastic Stack, Kibana, Graylog, or Splunk.

Product selection

Back to the choice of a SIEM solution. How do you select the right product? How do you need to get started, who actually offers this kind of solutions? Gartner offers a good starting point; it annually publishes so-called Magic Quadrants for several IT focus areas, among which the category SIEM solutions.

In the Magic Quadrants, you can see who is active on the (international) market, regarding SIEM solutions. Do not pay too much attention to the positioning in the chart, you can assume the products in the upper right corner meet most requirements.

Demands & wishes

The key question is: how do you determine which tool fits your company best? This has to do with your demands and wishes. A few points will be clear immediately, because these will come from the compliancy requirements & law and regulations. For instance, think about the law about data leaks and the recently approved DGPR regulations. However, these are not the only requirements for a SIEM tool. You also have to define functional and technical demands and wishes. How do you make a list that will not become endless?

Categories

A good start is distinguishing categories which you think are important for the SIEM solution. Think about the user interface. Should this be web-based, or do you not mind having to install local software? You can carry this through to the demands and wishes regarding log management, storage and storing period, regulations, reporting & data boards, and the user experience.

Kickstart

We advise you to start with the requirements in the field of compliancy, laws and regulations. That will give you a good kickstart. Take storage and data saving periods as an example: it occurs that compliancy, laws and regulations require data to be stored for at least a year (or longer). Then you can purchase a SIEM solution with a lot of storage space. However, it will be expensive if you store all this information in the SIEM solution. Find out what type of storage is suitable for which type of information. For ‘older’ data, you may just as well consider choosing cheaper, slower or offline options to store the data.

Format

Consider also to use a standard format: ‘’I would like <as type user>, that I can <functional, technical demands>, to <certain goal or demand>.’’ With this clear formulation, you make things easier for all parties involved to fill in their demands and wishes. This will give you clearly formulated demands and wishes.

Stakeholders

Perhaps multiple branches will be using the SIEM solution. Besides the SOC, the Compliancy of Auditing departments can also demand access to certain tasks they must be able to perform.

Take your time

At the end the inventory process can result in dozens of demands and wishes, some more realistic than others. It is even possible that they will reinforce each other or become superfluous. Our most important advice is: take your time and get together with all relevant stakeholders. Brainstorm with both technical and functional users and all involved branches (like Legal and Marketing). Because a good alignment in the beginning, will result in a long-term usage of a SIEM solution.

Need help?

Do you need help with selecting your future SIEM solution? The consultants of Navaio are eager to help you. We can also assist you with the SOC tender.